CIO-CISO Relationship Must Change Per New Report

By Editorial Team | June 09, 2020
Success in the third era of enterprise IT hinges on a sound strategy that combines new, disruptive technologies with a rebalancing of existing investments.

Changing Role of the CIO

The role of the CIO is rapidly changing in many organizations. There is not a business strategy in organizations that does not involve some technology aspect—and digital innovation is often the primary ingredient underlying the business initiative. The CIO is no longer an operational executive, but an orchestration executive. We are entering into what Gartner describes as the “third era of IT.” What does this transformation mean?

Leadership,CISO,CIO,Training and Development

Under the operational umbrella, a CIO was charged with running the data center, rolling out large IT infrastructure and application initiatives and upgrades, ensuring uptime on applications and systems, and maintaining and patching endpoints. Success measurements were pretty straightforward. Success was measured in terms of projects being completed on scope and budget and systems and applications remaining up and downtime not impacting operations.

The CIO and Cybersecurity
Download a copy of “The CIO and Cybersecurity” report by clicking on the above image.

Orchestration of technology looks much different. The digital ecosystem no longer remains under the “roof” of the IT department—let alone the corporate “roof.” Business-managed IT shifts ownership of digital infrastructure and assets to lines of business; it also dictates a transition to a shared ownership model of technology between the CIO, other C-suite leaders, and business-line executives. Discussions of a few years ago around questions such as “How can we stamp out shadow IT initiatives?” shift to questions such as “How do we integrate shadow IT into our broader digital strategy?”

At the same time, cloud adoption moves applications, infrastructure, and data outside of the on-premises data center—or even private cloud—into public clouds of varying flavors—from Software-as-a-Service (SaaS) to Infrastructure-as-a-Service (IaaS). In this new digital ecosystem, CIOs are charged with working across functions to ensure the right data governance, compliance policies, and data privacy models are instituted across and between each of them.

Figure 1. The 2019 CIO Survey conducted by Harvey Nash/KPMG found that CIOs who are digital leaders exhibit four differentiating strategies over those deemed laggards.

Changing Dynamics in the Relationship Between the CISO and CIO

Not only is the role of the CIO in transition but also the role of the CISO. Many of the same dynamics driving the change in the CIO’s role are also affecting that of the CISO. My team at Fortinet has conducted significant research into the shifting role of the CISO—and the cybersecurity team in general—over the past couple of years. Similar to the CIO, the CISO is no longer seen as a technologist but rather as a business enabler.

One of the repercussions is that the CISO moved out from underneath the CIO in the majority of instances and now reports to the board of directors or CEO nearly two-thirds of the time (in our same study of the state of cybersecurity and the CISO, we found that the CISO still reports to the CIO only 22% of the time). While this change is mandated in some industry settings, the rationale in many instances is the increased focus on cybersecurity and the risks that threats pose to the business—with operational outages, data breaches, and brand damage tallying into the millions per incident.

Top three success measurements for CIOs

Figure 2. Top three success measurements for CIOs

Yet, despite these changes, the relationship between the CISO and the CIO remains intertwined. Further, while one might conclude that cybersecurity is no longer a primary concern for the CIO, this is not the case. For example, in IDG’s annual study this year on the state of the CIO, CIOs indicated that they spend more than half of their time managing security. This was their number one response—higher than aligning IT initiatives with the business, driving business innovation, and improving IT operations and systems performance. (Our recent study on the state of the CIO and cybersecurity uncovered similar findings—55% named it among their top three success measurements.) And while many CIOs meet with their boards of directors on a regular basis, 91% of the time they spend with them is expended covering IT risk and cybersecurity.

Involving IT in business-managed IT initiatives is critical when it comes to security. The 2019 Harvey Nash/KPMG CIO Survey finds that 4 in 10 organizations that fail to include IT in business-managed IT initiatives are twice as likely to experience a security event.

The intertwining of cybersecurity responsibilities are part of a larger business and technology dynamic. The digital ecosystem is no longer overseen by one or two executives but is a shared responsibility that reaches across the executive suite, into the boardroom, and across individual business functions and departments. Indeed, in the different State of Cybersecurity reports covering different personas across network, security, and IT functions, cybersecurity was regularly cited as a top responsibility—from the security architect, to the IT infrastructure leader, to the network engineering and operations leader, to the CIO and CISO. And while cybersecurity may not be a top priority and responsibility for business-line leaders, other studies determine that it is a focus area for them—particularly with the growth of business-managed IT.

Figure 3. CIOs’ confidence in their organizations’ cybersecurity

Understanding the Key Security Challenges of the CIO

Digital innovation (DI) is driving much of the security focus of CIOs. Revenue growth and marginal improvements are increasingly tied to DI initiatives. This forms a critical focus for CIOs and will consume even more attention in coming years. In a rapidly evolving marketplace, creating new approaches to product development, customer engagement, and operations can mean the difference between success and failure for the company. Three security challenges threaten these initiatives:

  • An expanding attack surface. DI initiatives make for a more widely distributed network. Most companies now move services back and forth between multiple public and private clouds as well as the corporate data center. Internet-of-Things (IoT) devices are now proliferating at the endpoint, and many organizations are starting to analyze and process that information at the edge of the network. Network traffic now routinely travels on the public internet using software-defined wide-area networking (SD-WAN) technology. And application development often takes place using DevOps processes, which place a premium on speed and agility.

Given these trends, it is no surprise that when CIOs name their biggest challenges resulting from the expanding attack surface, increasing complexity was cited by nearly half of respondents—more than twice as often as any other answer. CIOs fear that responses to an expanded attack surface will result in the slowing of DI initiatives—either by reducing network performance or mandating manual security processes that interrupt progress. Indeed, security needs to be built into each new element of the attack surface—and integrated with the rest of the security architecture—rather than being “bolted on” as an afterthought.

  • An advanced threat landscape. Cyber criminals are delivering attacks with increasing volume, velocity, and sophistication, rendering the manual security processes of the past completely inadequate. Automation and emerging technologies like artificial intelligence (AI) and swarm technology are enabling threat actors to deliver highly targeted attacks at machine speed to breach systems or disrupt customer-facing services.

As the custodians of those services, CIOs can feel overwhelmed by these threats—especially at organizations where their visibility is indirect. Indeed, threat visibility was one of the top three challenges brought on by the threat landscape cited by CIOs surveyed by Fortinet. The other two commonly mentioned challenges are instructive: the need for a security strategy and the need for more training and development.

Another question in the survey highlights the threat landscape issue. In a freeform question, CIOs were asked to name their top industry challenges regarding security. The most-cited answer, mentioned three times as often as any other category, was external hackers and attackers.

  • Security complexity. The first two challenges naturally lead to this one. As the attack surface grows and threats become more sophisticated, organizations scramble to provide new protections. Often, this results in the deployment of point products that cover specific new elements of the attack surface—but are not integrated with the larger security architecture. On top of this, many organizations simply use the built-in security tools provided by each public cloud to which they subscribe, resulting in a security silo for each cloud.

Tellingly, the challenge related to security complexity most commonly cited by CIOs in the Fortinet study is job stress—a natural response to a situation that feels so “out of control.” The second and third most common answers may be attempts to alleviate that stress—the need for a security strategy and the need for more training and development.

Are CIOs Overconfident About Their Security Posture?

While CIOs remain highly concerned about cybersecurity and the majority are measured by its success, we found in a recent study that a majority of CIOs wear rose-colored glasses when it comes to their organizations’ security posture. But serious security gaps remain—regardless of whether they or the CISO are responsible for them. For example, nearly 7 out of 10 CIOs said their security architecture remains fragmented, consisting of point security solutions, and that they lack visibility and centralized control across the entire attack surface. Nearly half admit they struggle to protect against unknown and zero-day threats. And about one-third describe their security approaches as reactive and indicate they cannot measure risk and balance that against risk tolerance.

Ransomware,CISO,Leadership,Network Security,Data Security

Figure 4. Intrusions at CIO organizations in the past 12 months

Much work remains to be done on these fronts. The outcome is that organizations remain at risk of cyberattack, and data reveals that they continue to experience serious levels of intrusions. 83% of CIOs experienced at least one intrusion in the past year. Over half encountered three or more, and more than one-quarter experienced six-plus. And these did not occur without business impact. Half of the CIOs in the study admitted to operational outages, with 4 in 10 claiming revenue repercussions and risk to physical safety. Almost 40% cite brand degradation as an outcome.

Network Security,Budget,Complexity,Intrustion

Figure 5. Security issues ranking in the top three for CIOs

Security Best Practices for Top-tier CIOs

The reality is that some CIOs are more successful when it comes to cybersecurity than others. Seeking to discover the success factors of those deemed security leaders, we delved into the survey data to compare the security practices of CIOs whose organizations had no intrusions in the past year to those who had six or more intrusions—deemed “top tier” and “bottom tier.” We found that top-tier CIOs were more likely than bottom-tier ones to practice the following:

  • Purchasing an end-to-end, integrated security solution—2x more likely
  • Meeting regularly with the CEO to discuss cybersecurity—71% more likely
  • Outsourcing a majority of security functions to an MSSP—4x more likely
  • Tracking and reporting productivity gains from security solutions—134% more likely
  • Achieving full visibility and control across the entire attack surface—42% more likely
  • Deploying automated proactive threat protection—17% more likely
  • Using automated critical security workflows—15% more likely

Measuring Cybersecurity in Business Terms

Few CISOs will be surprised at any of these best practices, but some of them may be new to the CIO—and even more so to directors and other members of executive management. This illustrates a basic problem that CISOs face when communicating with other senior leaders. While the CISO rightly focuses on protecting systems, blocking attacks, and protecting ever-expanding attack surfaces, these priorities do not communicate well in a business context unless they are “translated.”

Specifically, CEOs and boards of directors see the threats posed by cybersecurity gaps as threats to the success of the company. They do not like to dwell on the technical details, however, and want to see the tangible impact on the business.

CIOs are being pushed in that direction as well: 81% of them are taking on an expanded business role. But given that 43% of CIOs rose to their current role from application development, many of them are not fully prepared for this. Only 10% have earned an MBA, and 42% indicate they need help in interactions with other executives.

The security analytics CIOs cite as being tracked and reported seem to confirm the above. The top two metrics are technical and do not translate into language the business understands: vulnerabilities found and blocked (54%) and intrusions detected and remediated (51%). In order for these to resonate with the C-suite and board of directors, they need to be translated into financial metrics that make sense to the business.

Specifically, executives need to understand the level of risk exposure and what this looks like in terms of probability of operational outages, lost data, or damaged brand reputation. Additionally, other metrics that make better sense in terms of conveying business value or impact, such as productivity gains from security deployments (49%), cost reduction and avoidance (49%), and tangible risk management outcomes (44%), are measured somewhat less frequently.

How CISOs Should Engage with CIOs

While most CIOs and CISOs are peers and have different reporting structures today than a few years ago, communications and collaboration between them and their teams will continue to be critical to the business. Four suggestions can help bring these two professionals together around business outcomes:

  • Develop security measurements collaboratively. The CIO and the CISO can work together to measure and report business-oriented outcomes that senior leadership can identify with. As noted above, measuring business impact is more common among top-tier enterprises than bottom-tier ones.
  • Build an integrated security architecture. As the owner of most new elements of the attack surface, the CIO should be the CISO’s ally in ensuring that security is built into the foundation of every new service, and that the entire security architecture is integrated. After all, this will help ensure that intrusions do not occur—and that performance is not negatively impacted by security protections.
  • Automate workflows and threat intelligence. In an age where speed and agility are essential, manual security processes slow things down for the CIO. For the CISO, these processes also increase risk given that threats now move at machine speed. An automated approach to threat detection, intelligence sharing within the organization, threat response, and tracking and reporting solves a critical business problem for both executives. They should work together to ensure that it happens.
  • Work together to stay on top of business-managed IT. Just as security is becoming more of a shared business responsibility, many aspects of IT management now reside outside the CIO’s and CISO’s reporting structure. In these cases, the CISO and CIO should collaborate to ensure that security is a part of the “checklist” of best practices and metrics tracking across the organization.
The role of the chief information officer is expanding beyond that of a technology champion. As organizations become increasingly digital, the CIO will need to become a partner who helps shape the business.

One interesting data point in our research relates to managed security service providers (MSSPs). As I mentioned above, top-tier CIOs were four times as likely to outsource a majority of security functions to MSSPs than their bottom-tier counterparts. This was by far the biggest differential between the two groups. The pile of urgent demands that need attention is not getting any smaller for either the CISO or the CIO. Acknowledging together that outside help is needed to keep the organization safe may be one of the best examples of the collaboration that is needed between the CISO and the CIO.

Leadership,CISO,CIO,Training and Development

View the on-demand webinar, "What Matters to the CIO When It Comes to Cybersecurity.”  Panelists Mark Las (CIO, Chicago State University) and Bob Bragdon (SVP/Publisher, CSO Magazine) discuss these issues in more detail.